Skip to content

handshake -l crashes on Windows against OpenSSL master: free_ctx_pool() frees OSSL_LIB_CTX before the SSL_CTX #91

Description

@quarckster

handshake in SSL_CTX-pool mode (-l, TC_SSL_CTX_POOL) crashes with an access violation (0xC0000005) on Windows when built against OpenSSL master (4.1.0-dev). -s / -p / -P are fine, and -l is fine against 3.0–4.0. It crashes at threadcount=1, so it's deterministic. This fails the nightly perf pipeline on every Windows worker (only for the master build).

Cause

source/handshake.c:free_ctx_pool() frees the OSSL_LIB_CTX before the SSL_CTX created from it:

OSSL_LIB_CTX_free(ctx_pool[i]->libctx);   /* (1) */
SSL_CTX_free(ctx_pool[i]->sctx);          /* (2) server SSL_CTX holds the key */
SSL_CTX_free(ctx_pool[i]->cctx);

In -l mode sctx is SSL_CTX_new_ex(libctx, …) with the server key loaded, so its EVP_KEYMGMT lives in libctx. Freeing libctx first makes SSL_CTX_free release the key through a dangling keymgmt → AV in evp_keymgmt_freedata (crypto/evp/keymgmt_meth.c:404). All objects from an OSSL_LIB_CTX must be freed before the libctx.

Fix

Reorder so the SSL_CTXs are freed before the OSSL_LIB_CTX:

SSL_CTX_free(ctx_pool[i]->sctx);
SSL_CTX_free(ctx_pool[i]->cctx);
OSSL_LIB_CTX_free(ctx_pool[i]->libctx);

Confirmed: this makes handshake -t -l run cleanly against the same master build.

Reproduce

build\handshake.exe -t -l -s <openssl-master>\test\certs 1   # crash 0xC0000005

(The pipeline logs rc: 5 = 0xC0000005 & 0xFF, from the PowerShell exit $p.ExitCode wrapper.) Affected: OpenSSL master only, Windows only (Linux/macOS/FreeBSD pass).

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions